Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 26 October 2021 08:10 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9F03A1266 for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 01:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.247
X-Spam-Level:
X-Spam-Status: No, score=-5.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPO2kCVVZShW for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 01:10:37 -0700 (PDT)
Received: from lb3-smtp-cloud8.xs4all.net (lb3-smtp-cloud8.xs4all.net [194.109.24.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 673193A1265 for <dnsop@ietf.org>; Tue, 26 Oct 2021 01:10:36 -0700 (PDT)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by smtp-cloud8.xs4all.net with ESMTPSA id fHXRmKhJmFfMifHXUmVtgV; Tue, 26 Oct 2021 10:10:32 +0200
To: dnsop@ietf.org
References: <161953482575.7668.10479553059119648994@ietfa.amsl.com> <f9f4dcfc-3bc4-3859-7aab-568c3f5d0a29@nic.cz> <367EA8BC-BD5E-4363-A3FC-D5F3AF41305E@dnss.ec>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <ee4417ee-9531-df83-96a5-0a55dd397755@pletterpet.nl>
Date: Tue, 26 Oct 2021 10:10:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <367EA8BC-BD5E-4363-A3FC-D5F3AF41305E@dnss.ec>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4xfG0MOmiyHF/5TRABN40adp4d4XaRzR+2uKCXUArBmsjeJEMwsuhwTEiO2Dlc6F9r5eOPzuOSLITtlXw0S39BzslylwuTzBOORFa676sQ0k3m0fuwC2/V WvVdNhlnomOyfXt0sagtdts+CHZJkY1d2kDIeNfCpQInG4c0CXnXW6QuhNkcwlSDZw7CtsAzvtz72dYoSNOkKJlQhroj6UTX4sQrvuDPvmpXfAPc917IrP38 XS3LaKv393u6vd0ebTy0tJKouc4eEudzSKnVGyE9zWP9YMJEbfomzAlw7skT5gRX
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hpiDx0Gm3xE6zw_3gyF2fGWjf-A>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 08:10:42 -0000
Hi, On 26-10-2021 01:56, Roy Arends wrote: > >> On 20 Oct 2021, at 14:14, libor.peltan <libor.peltan@nic.cz> >> wrote: >> >> Hi all, >> >> although for me, as an implementer of an auth server, it's not too >> important, I'd like to ask for clarification regarding the foreseen >> reporting domain(s) setup in the (usual) case of many secondary >> auth servers. >> >> The draft says: "Each authoritative server SHOULD be configured >> with a unique reporting agent domain." >> >> I see two possible error situations: >> >> 1) the zone itself is wrongly signed, so all secondaries share the >> same error 2) some of the secondaries respond wrongly from >> correctly signed zone, so the error is slave-specific >> >> IMHO the case (2) is far less common. And the case (1) doesn't >> require per-secondary reporting domain, just per-zone. >> >> Is it really recommended (in capitals) that the zone operator >> prepares extra reporting domain for each secondary around the world >> (it can be hundreds)? If you have outsourced your secondaries to a company that has hundreds of secondaries I guess you can also set up a reporting agent domain like "company1.reporting-agent.example". and "company2.reporting-agent.example". It won't tell you exactly which server caused the problem, but at least it gives you some idea without having to set up hundreds of domains. But I am also not convinced that the recommendation needs to be in capitals. > The domain owner may have contracts with more than one operator. The > operator may operate many authoritative servers, which not all serve > the same set of zones. > > If the reporting agent domain is unique, the erroneous server can be > pinpointed faster. If all auth servers for a domain have the same > reporting agent domain, the reporting agent knows there is an error, > just doesn’t know where. > >> If so, it can cause a disclosure about which secondary the answer >> is comming from, dunno if some zone operators are not willing to >> conceal this. > > In that case, the zone operator doesn’t have to deploy EDE reporting, > right? The zone operator may still be interested in knowing about resolving issues. And DNS error reporting would still work if you have just a single reporting agent domain. Matthijs > Roy > >> >> Thanks! >> >> Libor >> >> Dne 27. 04. 21 v 16:47 internet-drafts@ietf.org napsal(a): >>> A New Internet-Draft is available from the on-line >>> Internet-Drafts directories. This draft is a work item of the >>> Domain Name System Operations WG of the IETF. >>> >>> Title : DNS Error Reporting Authors : Roy >>> Arends Matt Larson Filename : >>> draft-ietf-dnsop-dns-error-reporting-00.txt Pages : 12 >>> Date : 2021-04-27 >>> >>> Abstract: DNS Error Reporting is a lightweight error reporting >>> mechanism that provides the operator of an authoritative server >>> with reports on DNS resource records that fail to resolve or >>> validate, that a Domain Owner or DNS Hosting organization can use >>> to improve domain hosting. The reports are based on Extended DNS >>> Errors [RFC8914]. >>> >>> When a domain name fails to resolve or validate due to a >>> misconfiguration or an attack, the operator of the authoritative >>> server may be unaware of this. To mitigate this lack of >>> feedback, this document describes a method for a validating >>> recursive resolver to automatically signal an error to an agent >>> specified by the authoritative server. DNS Error Reporting uses >>> the DNS to report errors. >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ >>> >>> >>> There are also htmlized versions available at: >>> https://tools.ietf.org/html/draft-ietf-dnsop-dns-error-reporting-00 >>> >>> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-00 >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at >>> tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> >>> _______________________________________________ DNSOP mailing >>> list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >> >> _______________________________________________ DNSOP mailing list >> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-re… internet-drafts
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Bill Woodcock
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… libor.peltan
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Roy Arends
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Brian Dickson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Matthijs Mekking
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát